Merged from http://go/wvgerrit/114903
There is a potential integer overflow to bypass the
source base size check in decrypt. The source pointer
can then point to the outside of the source buffer,
which could potentially leak arbitrary memory content
to destination pointer.
Test: sts-tradefed
sts-tradefed run sts-engbuild-no-spl-lock -m StsHostTestCases --test android.security.sts.Bug_176496160#testPocBug_176496160
Test: push to device with target_hwasan-userdebug build
adb shell /data/local/tmp/Bug-17649616064
Bug: 176496160
Bug: 176444786
Change-Id: I208e0d5d949e8ef003fcf7d6f129eab66b9b3656
[ Merge of http://go/wvgerrit/108084 ]
The Widevine License Agreement has been renamed to use inclusive
language. This covers files in the android directory.
Bug: 168562298
Test: verified compilation (comment only change)
Change-Id: I0f9e6445e0168ebe85425baeb81371e182e5a39c
(This is a merge of http://go/wvgerrit/94928.)
In OEMCrypto v16, we dropped support for 'cens' and 'cbc1'. However, we
did not redefine the pattern (0,0) to be a valid pattern for 'cbcs', even
though it was no longer being used to signal 'cbc1'. Instead, we made
the CDM reject CTR with a pattern ('cens') and CBC with a (0,0) pattern
('cbc1') to mirror the behavior of OEMCrypto v16.
However, some apps have been using 'cbc1' mode to decrypt audio in
'cbcs' content. This is normally not possible but is possible for a
subset of content. Furthermore, it is easy to do by accident because of
the way most packagers package 'cbcs' audio and the special significance
Widevine has historically given the (0,0) pattern.
This patch updates the CDM to not reject CBC with a (0,0) pattern but
instead treat it as 'cbcs' content. To decrypt it correctly, the pattern
is treated specially inside the CDM core and converted to the
recommended equivalent pattern — (10,0) — before passing the content to
OEMCrypto.
For more specifics, please see the design doc: http://go/vclfg
Bug: 150219982
Test: ExoPlayer Demo App 'cbcs' Content
Test: GTS 'cbcs' Content
Change-Id: I334ff15db5f7b7d62040a036ba6d17515c3caee4
(This is a merge of http://go/wvgerrit/93829,
http://go/wvgerrit/93830, http://go/wvgerrit/93832,
http://go/wvgerrit/93833, and http://go/wvgerrit/93834 from the
Widevine repo.)
This implements the CDM code changes necessary to take advantage of
Combined Decrypt Calls on OEMCrypto v16. The result of this is that
WVCryptoPlugin is much lighter now because it can pass the full sample
down to the core in one call, but CryptoSession is heavier, as it now
has to handle more complex fallback logic when devices can't handle
multiple subsamples at once.
This patch also removes support for the 'cens' and 'cbc1' schema, which
are being dropped in OEMCrypto v16. This fixes an overflow in the code
for handling those schemas by removing it entirely.
This patch also fixes the "in chunks" legacy decrypt path to use larger
chunk sizes on devices with higher resource rating tiers.
Bug: 135285640
Bug: 123435824
Bug: 138584971
Bug: 139257871
Bug: 78289910
Bug: 149361893
Test: no new CE CDM Unit Test failures
Test: Google Play plays
Test: Netflix plays
Test: no new GTS failures
Change-Id: Ic4952c9fa3bc7fd5ed08698e88254380a7a18514
(This is a merge of http://go/wvgerrit/92191)
This reverts commit 8fe569cc1265021e275a9bccbc362ebd2ba3be5f.
The ISO-CENC spec is ambiguous about how to handle the early truncation
of the pattern in the 'cens' and 'cbcs' schema. We originally
interpreted it to mean "follow the pattern until you run out of full
crypto blocks" and shipped the Android and OEMCrypto code accordingly.
Later, however, other engineers at Google asserted that it should mean
"follow the pattern until you run out of enough crypto blocks to follow
the encrypted part of the pattern", which is subtly different when the
number of encrypted blocks in the pattern is greater than 1. We made
changes to start accommodating this. However, after further discussion,
everyone is in agreement that the original behavior was correct. So I am
reverting the "fixes" that had already been made.
This has no practical effect, since it only affects 'cens' content with
a pattern that has more than one encrypted block, and as far as we know,
no one has ever generated content like that. Shaka Packager is not
capable of generating content like that.
Bug: 111001481
Test: No new Android Unit Tests failures
Change-Id: I8f0292b1222d6af9a0ae33d6cb91707fd40101f4
(This is a merge of modmaker@'s change from the Widevine repo,
http://go/wvgerrit/48880)
When using pattern encryption, WVCryptoPlugin needs to increment the
IV after each subsample. It should increment it based on the number
of actually encrypted samples (i.e. ignore clear data caused by
subsamples or pattern encryption).
In the common encryption spec, section 9.6.1 states:
If the last Block pattern in a Subsample is incomplete, the partial
pattern SHALL be followed until truncated by the BytesOfProtectedData
size and any partial crypt_byte_block SHALL remain unencrypted.
This fixes the counting of encrypted blocks to account for partial
patterns. This also makes it more efficient by removing the loop.
Bug: 111001481
Test: build_and_run_all_unit_tests
Test: Widevine GTS Tests
Change-Id: Ibd2bf10f64461b9bce10ef07453096fe4a4f6376
Merge of http://go/wvgerrit/70163
New codes are being added to handle resource
contention, lost session state, frame size too
large and insufficient security level for
decryption. Also cleans up inconsistent use of
tamper detected error where invalid state error
should have been used.
bug:111504510
bug:111505796
test: cts and gts media tests, widevine integration tests
Change-Id: I96ee441717d32ccbcabaa85c8f6a0013055ce16e
It is not an error for mapMemory to return nullptr,
remove the log message.
merged from http://go/wvgerrit/68605
bug:120148333
Change-Id: If58a4335ec3b8bd8d84993bb3959e5ccafb708e1
Widevine HIDL service added new v1.2 media APIs,
update the service to support new APIs.
Merged from http://go/wvgerrit/67083
Test: Netflix and Play Movies & TV (streaming and offline playback)
Test: GTS WidevineH264PlaybackTests test
e.g. ANDROID_BUILD_TOP= ./android-gts/toolsefed run gts -m GtsMediaTestCases
--test com.google.android.media.gts.WidevineH264PlaybackTests#testL1With480P30
Test: Widevine unit tests
bug: 117570686
Change-Id: I3a2091e7c62a0d2697ef97f983fd898aedfb4519
Merge from Widevine repo of http://go/wvgerrit/47860
This CL updates the copyright notice to indicate that files
shared with partners are shared under the Widevine Master
License Agreement.
bug: 77926774
test: comment change only
Change-Id: I0423668111578b80fb39a932d763df2827e2dfc3
Merged from http://go/wvgerrit/44803.
Upgrade HIDL service to v1.1 and implements new 1.1 media API.
Test: Netflix and Play Movies & TV
streaming and offline playback
Test: GTS WidevineH264PlaybackTests test
e.g. ANDROID_BUILD_TOP= ./android-gts/tools/gts-tradefed run gts -m GtsMediaTestCases
--test com.google.android.media.gts.WidevineH264PlaybackTests#testL1With480P30
Test: GTS MediaDrmTest tests
e.g. ANDROID_BUILD_TOP= ./android-gts/tools/gts-tradefed run gts -m GtsMediaTestCases
--test com.google.android.media.gts.MediaDrmTest#testWidevineApi28
Test: unit tests
bug: 69674645
Change-Id: I91e7e43f9178b61a531e846beffb5f5c17050a3c
[ Merged of http://go/wvgerrit/39766 ]
The security level (software/hardware, decryption/decode)
in the policy that specified how the key was to be used was
not being respected for L3. Playback would either continue or
a vendor specific error would be thrown.
If the device cannot use the key as permitted by the policy
CryptoException#ERROR_INSUFFICIENT_OUTPUT_PROTECTION will be thrown.
Bug: 31913737
Bug: 31913439
Test: WV unit/integration tests
Test: Playback using playmovies and netflix. Cast playback using
playmovies.
Change-Id: If25735ab0f789108431115623cb236687c5ef818
These are a set of CLs merged from the wv cdm repo to the android repo.
* Resolve intermittent decrypt error.
Author: Jeff Fore <jfore@google.com>
[ Merge of http://go/wvgerrit/35720 ]
The CdmSession's closed state was not properly
initialized resulting in intermittent
SESSION_NOT_FOUND_FOR_DECRYPT errors.
In CdmEngine::Decrypt the session is looked up by
the key id. A list of open sessions is acquired
by calling CdmSessionMap::GetSessionList and each
session in the list is queried to see if it has
the key.
In building the list in CdmSessionMap::GetSessionList,
sessions are only added to the query list *if* the session
is not closed.
The closed status was not initialized and during testing
the query list would not contain the session causing
CdmEngine::Decrypt to return SESSION_NOT_FOUND_FOR_DECRYPT
resulting in the ce cdm api returning widevine::Cdm::kNoKey.
* No support for pre- C++11 compilation.
Author: Gene Morgan <gmorgan@google.com>
[ Merge of http://go/wvgerrit/35381 ]
* Handle unaligned nonce pointer in RewrapDeviceRSAKey calls.
Author: Gene Morgan <gmorgan@google.com>
[ Merge of http://go/wvgerrit/35340 ]
The pointer points into a message and it may not be aligned.
Always copy the nonce into aligned memory before checking it.
BUG: 38140370
Add note to CHANGELOG for this.
* Compiler strictness: more checks and code cleanup.
Author: Gene Morgan <gmorgan@google.com>
[ Merge of http://go/wvgerrit/35300 ]
Use the switches proposed in b/38033653 (as much as possible - some
conflicts with protobufs and gtest prevent fully accepting them).
Switch to clang for x32 build; ensure that both x86-64 and x86-32 builds
compile and link cleanly.
BUG: 38032429
BUG: 38033653
This partially resolves b/38458986
* Android build fixes
Author: Rahul Frias <rfrias@google.com>
[ Merge of http://go/wvgerrit/35102 ]
These corrections address compile warnings and errors for android
and unit tests.
* Embedded License: Add sub license key sessions.
Author: Jeff Fore <jfore@google.com>
[ Merge of http://go/wvgerrit/33680 ]
NOTE: this adds the AddSubSession() method, but it is not yet being
used. Use and proper cleanup is in an upcoming CL.
* Embedded license: Add track label field.
Author: Jeff Fore <jfore@google.com>
[ Merge of http://go/wvgerrit/33660 ]
A new track label field (a string) is added to the key container and the
sub session data objects.
This field will be used in handling sub license requests.
* Embedded license: extract keys from init_data.
Author: Jeff Fore <jfore@google.com>
[ Merge of http://go/wvgerrit/33621 ]
* Embedded license: add protobuf messages.
Author: Jeff Fore <jfore@google.com>
[ Merge of http://go/wvgerrit/33620 ]
also sync the widevine header definition with recent naming changes.
* Improve handling of provisioning response errors.
Author: Gene Morgan <gmorgan@google.com>
[ Merge of http://go/wvgerrit/33600 ]
Separate out the case of no response and the case
where the message is believed to be a JSON+base64
message but it doesn't parse properly.
BUG: 71650075
Test: Not currently passing. Will be addressed in a subsequent
commit in the chain.
Change-Id: I3c86f1c54980b071aec7461ac58541836551f896
Below are a set of CLs being merged from the wv cdm repo to the android repo.
* Fix handling of OEM Cert public key.
Author: Srujan Gaddam <srujzs@google.com>
[ Merge of http://go/wvgerrit/27921 ]
This is a potential fix for b/36656190. Set aside public
key on first call to get the public key, and use it afterwards.
This gets rid of extra calls to OEMCrypto_GetOEMPublicCertificate(),
which has side-effect of staging the OEM private key.
This also fixes a problem where the public cert string was
not being trimmed to match the size returned by
OEMCrypto_GetOEMPublicCertificate().
* Complete provisioning request/response for Provisioning 3.0
Author: Gene Morgan <gmorgan@google.com>
[ Merge of http://go/wvgerrit/27780 ]
Fix bug on provisioning request path where GenerateDerivedKeys()
was being called when preparing to generate the signature.
Add message signature verification, and call correct OEMCrypto
routine to rewrap the private key (OEMCrypto_RewrapDeviceRSAKey30).
* Implement Cdm::deleteAllUsageRecords()
Author: Gene Morgan <gmorgan@google.com>
[ Merge of http://go/wvgerrit/27780 ]
Delete all usage records for current origin. Removes usage
records from file system and retains the PSTs. The deletes
any usage entries matching those PSTs held by OEMCrypto.
BUG: 35319024
* Remove stringencoders library from third_party.
Author: Jacob Trimble <modmaker@google.com>
[ Merge of http://go/wvgerrit/27585 ]
We have a fork of the stringencoders library that we use for base64
encoding. This reimplements base64 encoding to remove the extra
dependency and to reduce the amount of code.
* Add Cdm::deleteUsageRecord() based on key_set_id.
Author: Gene Morgan <gmorgan@google.com>
[ Merge of http://go/wvgerrit/27605 ]
Delete specified usage record from file system usage info and
from OEMCrypto.
BUG: 35319024
* Modifiable OEMCrypto
Author: Fred Gylys-Colwell <fredgc@google.com>
[ Merge of http://go/wvgerrit/24729 ]
This CL adds a new variant of the OEMCrypto mock code that adjusts its
behavior based on a configuration file. This is intended for
testing.
For example, a tester can set current_hdcp to 2 in the options.txt
file, push it to the device, and verify that a license is granted for
HDCP 2.0. Then the tester can edit the value of current_hdcp to 1 and
push the file to the device. Playback should stop because the license
is no longer valid.
This variant uses a real level 1 liboemcrypto.so to push data to a
secure buffer. That means we can test playback for a license that
requires secure buffers on an Android device with real secure buffers.
BUG: 35141278
BUG: 37353534
BUG: 71650075
Test: Not currently passing. Will be addressed in a subsequent
commit in the chain.
Change-Id: I58443c510919e992bb455192e70373490a00e2b6
CdmResponseType are mapped to android::status_t, then map to hidl
android::hardware::drm::V1_0::Status. This CL removes the indirection
by mapping cdm errors to hidl Status.
Test: Play Movies (pin and streaming)
Test: Netflix (download and streaming)
Test: libwvdrmmediacrypto_hidl_test and libwvdrmdrmplugin_hidl_test
Test: GtsMediaTestCases module
Test: Vts - VtsHalDrmV1_0Target
bug: 34682447
Change-Id: I0b04f47871f5e4898e7297831d5fceab52e0f7f9
mapMemory can return a nullptr, must check for nullptr
IMemory.
Test: Play Movies (stream and pin movies)
Test: VtsHalDrmV1_0TargetTest
bug: 38386082
Change-Id: I66f9bfd08e36d575c7a45fe2eacd8fc981380c86
[ Merge of http://go/wvgerrit/25983 ]
Earlier versions of android returned CryptoException with
error code ERROR_NO_KEY, when a decrypt call was received before keys were
loaded. Changes to O resulted in ERROR_SESSION_NOT_OPENED being returned
instead. This CL reverts the behaviour.
Also a change to correct CDM error code numbering in comments.
Test: Verified by unit and integration tests
b/37219830
Change-Id: I43758cd29cf9d1945f878ac352a5f26538b48cdb
[ Merge of http://go/wvgerrit/25781 ]
The security level (software/hardware, decryption/decode)
in the policy that specified how the key was to be used was
not being respected for L3. Playback would either continue or
a vendor specific error would be thrown.
If the device cannot use the key as permitted by the policy
CryptoException#ERROR_INSUFFICIENT_OUTPUT_PROTECTION will be thrown.
Test: Verified by WV unit+integration tests.
Verified by WidevineDashPolicyTests
Verified by WidevineDashPolicyTests#testL3SoftwareSecureDecoderRequired,
testL3HardwareSecureCryptoRequired, testL3HardwareSecureDecodeRequired,
testL3SecureVideoPathRequired.
b/31913737
b/31913439
Change-Id: Ibfc7f3dd6fc7264e8cf9b0d33f6f8d619eed6c00
[ Merge of http://go/wvgerrit/25721 ]
Return CryptoException with errorCode ERROR_NO_KEY when an attempt is made
to make use of a license whose start time is in the future.
Test: Verified by WidevineDashPolicyTests#testL1LicenseStart2030
b/31914841
Change-Id: I2a157c227550a2391b6536365f34f1dfec3dea0c
Part of VTS test suite validation for
the binderized Widevine service
Test: Drm VTS test
bug:32815560
Change-Id: I0913c0e72487b5fdbf579b9ea3409c13264888fd
hidl_string no longer will provide an implicit cast to const char* as it
interfers with other expected behaviors of the class. It now emulated
std::string in requiring a call to .c_str() to get the same behavior.
Bug: 36532780
Test: Build the tree
Change-Id: I2ce4354619a99d7c5ae8b39762d5506891ccd1ed
Replace AString, KeyedVector, List, String8 and Vector
with stl containers. Remove corresponding frameworks
libraries.
Test: Play Movies & TV (streaming and pinning)
Test: Netflix
Test: unit tests
bug: 34677927
Change-Id: I125f45054987d69bbca59c1ffdcbe8add38c3c13
(This is a merge of go/wvgerrit/24739)
This cleans up some warnings in the Android glue code:
1) Checking if unsigned values are >= 0.
2) Using {0} initializer syntax instead of fully expanding to {0,0}.
Bug: 34394125
Test: Verified compilation passes
Change-Id: Id59730b97da7fce320f634451a44a4df4bf0b494
